1.\" 2.\" $FreeBSD: src/lib/libpam/modules/pam_login_access/login.access.5,v 1.17 2006/09/13 18:34:32 joel Exp $ 3.\" 4.Dd September 13, 2006 5.Dt LOGIN.ACCESS 5 6.Os 7.Sh NAME 8.Nm login.access 9.Nd login access control table 10.Sh DESCRIPTION 11The 12.Nm 13file specifies (user, host) combinations and/or (user, tty) 14combinations for which a login will be either accepted or refused. 15.Pp 16When someone logs in, the 17.Nm 18is scanned for the first entry that 19matches the (user, host) combination, or, in case of non-networked 20logins, the first entry that matches the (user, tty) combination. 21The 22permissions field of that table entry determines whether the login will 23be accepted or refused. 24.Pp 25Each line of the login access control table has three fields separated by a 26.Ql \&: 27character: 28.Ar permission : Ns Ar users : Ns Ar origins 29.Pp 30The first field should be a "+" (access granted) or "-" (access denied) 31character. 32The second field should be a list of one or more login names, 33group names, or ALL (always matches). 34The third field should be a list 35of one or more tty names (for non-networked logins), host names, domain 36names (begin with "."), host addresses, internet network numbers (end 37with "."), ALL (always matches) or LOCAL (matches any string that does 38not contain a "." character). 39If you run NIS you can use @netgroupname 40in host or user patterns. 41.Pp 42The EXCEPT operator makes it possible to write very compact rules. 43.Pp 44The group file is searched only when a name does not match that of the 45logged-in user. 46Only groups are matched in which users are explicitly 47listed: the program does not look at a user's primary group id value. 48.Sh FILES 49.Bl -tag -width /etc/login.access -compact 50.It Pa /etc/login.access 51login access control table 52.El 53.Sh SEE ALSO 54.Xr login 1 , 55.Xr pam_login_access 8 56.Sh AUTHORS 57.An Guido van Rooij 58